diff --git a/package/systemd/veilid-server.service b/package/systemd/veilid-server.service
index 43d10849..f8d39fae 100644
--- a/package/systemd/veilid-server.service
+++ b/package/systemd/veilid-server.service
@@ -8,14 +8,36 @@ After=network-online.target
 [Service]
 Type=simple
 Environment=RUST_BACKTRACE=1
-ExecStart=/usr/bin/veilid-server
+ExecStart=/usr/bin/veilid-server -c /etc/veilid-server/veilid-server.conf
 ExecReload=/bin/kill -s HUP $MAINPID
 KillSignal=SIGQUIT
 TimeoutStopSec=5
-PrivateTmp=true
 WorkingDirectory=/
 User=veilid
 Group=veilid
 
+CapabilityBoundingSet=
+SystemCallFilter=@system-service
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectHome=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/db/veilid-server
+ConfigurationDirectory=veilid-server
+
+RestrictRealtime=true
+SystemCallArchitectures=native
+LockPersonality=true
+RestrictSUIDSGID=true
+
 [Install]
-WantedBy=multi-user.target
\ No newline at end of file
+WantedBy=multi-user.target